[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 95bf43b s3: libsmbclient - smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path. from 4bec186 samba-tool group add: Add option --nis-domain and --gid http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 95bf43bc6a0b6a4a47b8a556eee3b78446ea4123 Author: Jeremy Allison j...@samba.org Date: Tue Oct 21 14:41:32 2014 -0700 s3: libsmbclient - smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path. Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Steve French smfre...@gmail.com Tested-by: Ralph Boehme s...@samba.org Autobuild-User(master): Steve French sfre...@samba.org Autobuild-Date(master): Thu Oct 23 20:44:31 CEST 2014 on sn-devel-104 --- Summary of changes: source3/libsmb/cli_smb2_fnum.c | 14 ++ 1 files changed, 14 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c index a099e03..de4bd6f 100644 --- a/source3/libsmb/cli_smb2_fnum.c +++ b/source3/libsmb/cli_smb2_fnum.c @@ -667,6 +667,7 @@ NTSTATUS cli_smb2_list(struct cli_state *cli, bool processed_file = false; TALLOC_CTX *frame = talloc_stackframe(); TALLOC_CTX *subframe = NULL; + bool mask_has_wild; if (smbXcli_conn_has_async_calls(cli-conn)) { /* @@ -690,6 +691,8 @@ NTSTATUS cli_smb2_list(struct cli_state *cli, goto fail; } + mask_has_wild = ms_has_wild(mask); + status = cli_smb2_create_fnum(cli, parent_dir, 0, /* create_flags */ @@ -791,6 +794,17 @@ NTSTATUS cli_smb2_list(struct cli_state *cli, TALLOC_FREE(subframe); + if (!mask_has_wild) { + /* +* MacOSX 10 doesn't set STATUS_NO_MORE_FILES +* when handed a non-wildcard path. Do it +* for the server (with a non-wildcard path +* there should only ever be one file returned. +*/ + status = STATUS_NO_MORE_FILES; + break; + } + } while (NT_STATUS_IS_OK(status)); if (NT_STATUS_EQUAL(status, STATUS_NO_MORE_FILES)) { -- Samba Shared Repository
Re: [Samba] File share permissions act different on member server than on DC
On Sun, 2013-10-13 at 22:31 +0200, Marc Muehlfeld wrote: Hello, a while ago I wrote the http://wiki.samba.org/index.php/Setup_and_configure_file_shares HowTo. When I wrote the HowTo, I setup and configured the share on a DC - what still works like described. Today I tried the first time to do exactly the same on a 4.0.10 and 4.1.0 _member server_, and it doesn't work there. The share in smb.conf: [demo] path = /srv/samba/Demo read only = no The folder in the filesystem (XFS): drwxr-xr-x 2 root root6 13. Okt 22:16 /srv/samba/Demo I connect to the share as Domain Admin, right-click to it and go to the security tab. Here I see now everyone and two root entries. - I click the edit button and remove the two root entries. When I click apply, everything is reset (the two entries went back. - If i grant modify to everyone - where all allow entries are empty per default and click apply, then all boxes are checked automatically (full access) and CREATOR OWNER and CREATOR GROUP appear. And this two can't be removed as well any more. If I do exactly the same on a DC, then already the security tab shows on the first time I open it very different settings. The wiki screenshot shows them: http://wikiupload.samba.org/images/8/8f/Demo_Share_Security.png). But the folder on Linux side is also just 755 (and without any extended ACLs when I begin). Also whatever I change (like remove root from the ACLs) everything is done like expected and saved. The member server is also self compiled. I installed all packages on my RHEL6 that I have installed on the DC too. Any idea what could be different on a 4.x member than on a DC? Or did I find a bug? Regards Marc Hi It looks like that on the DC, Administrator already has admin permissions on the share (like root in Linux) but on a file server he doesn't. You have to specify Administrator as an admin user or give him full posix rights on the share using setfacl. Summary.mAdministrator behaves as: DC: like root on a Linux box File server: a normal unprivileged domain user I think the file server is correct. Windows doesn't have a user like root. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group by name fails
On Fri, 2013-10-11 at 14:06 -0400, Lee Allen wrote: Steve thank you for pointing that out. I made those changes and it does not effect the results. 'getent group UID' works 'getent group groupname' does not work, for the same group On Fri, Oct 11, 2013 at 12:25 PM, steve st...@steve-ss.com wrote: Quite a bit missing here. Try: idmap config * : backend = tdb idmap config * : range = 9800-9900 idmap config ALLENLAN : default = yes idmap config ALLENLAN : schema mode = rfc2307 idmap config ALLENLAN : backend = ad idmap config ALLENLAN : range = 1-100 HTH Steve I don't think it works with winbind. If you really need it, the best way is to use sssd or nslcd. Is it important that it works for you? A script maybe? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group by name fails
On Fri, 2013-10-11 at 10:16 -0400, Lee Allen wrote: Samba 3.6.17 joined to Samba 4.2.0 AD domain, using winbind 'wbinfo -g' and 'getent group' successfully list all groups. 'getent group 10006' returns: domain users:x:10006: 'getent group domain users' fails with return code 2 partial log.winbind after above command: [2013/10/11 10:01:31.288199, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [31911]: request interface version [2013/10/11 10:01:31.288288, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [31911]: request location of privileged pipe [2013/10/11 10:01:31.288421, 3] winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send) getgrnam domain users [2013/10/11 10:01:31.288520, 3] winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) msrpc_name_to_sid: name=DOMAIN\USERS [2013/10/11 10:01:31.288547, 3] winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) name_to_sid [rpc] DOMAIN\USERS for domain DOMAIN if I specify the domain name, ie: 'getent group ALLENLAN\\domain users' it still fails... [2013/10/11 10:02:18.280728, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [31925]: request interface version [2013/10/11 10:02:18.280823, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [31925]: request location of privileged pipe [2013/10/11 10:02:18.280940, 3] winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send) getgrnam ALLENLAN\domain users [2013/10/11 10:02:18.281033, 3] winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) msrpc_name_to_sid: name=ALLENLAN\DOMAIN\USERS [2013/10/11 10:02:18.281060, 3] winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) name_to_sid [rpc] ALLENLAN\DOMAIN\USERS for domain ALLENLAN\DOMAIN Note the missing space in DOMAIN\USERS in the logs. I don't know whether this is relevant. 'getent passwd' does not have any such problems - it can query by UID or username smb.conf: [global] workgroup = ALLENLAN realm = allenlan.net password server = 192.168.0.13 preferred master = no server string = zone-samba3 security = ads encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind separator = \ idmap config * : backend = ad idmap config * : range = 1-10 Quite a bit missing here. Try: idmap config * : backend = tdb idmap config * : range = 9800-9900 idmap config ALLENLAN : default = yes idmap config ALLENLAN : schema mode = rfc2307 idmap config ALLENLAN : backend = ad idmap config ALLENLAN : range = 1-100 HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS frustration
On Tue, 2013-10-08 at 22:59 -0700, Scott Goodwin wrote: * Samba4 with BIND_DLZ (with windows clients updating AD via kerberos) Dammit this is so close! But Windows client dns updates do not work. Actually, they worked at first, then they stopped working. Errors like this: Oct 8 21:38:16 earl named[7695]: samba_dlz: starting transaction on zone mydomain.com Oct 8 21:38:16 earl named[7695]: client 10.2.2.227#52980: update ' mydomain.com/IN' denied Oct 8 21:38:16 earl named[7695]: samba_dlz: cancelling transaction on zone mydomain.com This is a decidedly ubiquitous problem out there, and one can google on this for hours, with no solid fixes or answers. Per this guy's advicehttp://article.gmane.org/gmane.network.samba.general/131081/match=I downloaded and compiled bind 9.8, and also 9.9 (just for good measure) using the proper flags ( --with-dlopen=yes, --with-gssapi=/usr/include/gssapi, and WITHOUT the flag --disable-isc-spnego). After I did this, it actually worked for a few hours! Then all of a sudden, stopped working with the above errors littering my named.log again. Hi Do you have CNAME's? If not, then it's just because you've tried different Samba versions but with the same dns records. Try deleting the old machine record so that a new one corresponding to your new install will recreate it at the next update request. I don't know your domain names and finding the DN for the machine took some working out, but I've an example here: http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo -i domain_username issue
On Wed, 2013-10-09 at 10:18 +0200, Alessio Tomelleri wrote: Thx Steve for your quick replay. ...and sorry for my late, but I was away in last two days, anyway here I'am... For first, nscd is not running anywhere... Secondly, I have to admit that perhaps (almost sure), I have misunderstood something about samba4/winbind, and these two last day had been useful to clarify to me... Yes, that configuration implies what you wrote... actually AD relies to a 2k3 servers that have not any uidNumber and/or gidNumber conf... I think I have to relies to our old openldap or switch to config this member server as samba4 dc integrated in domain Thx, Alessio Tomelleri Hi 2003 didn't have either rfc2307 nor sfu, so if you wish to keep your idmap in ad then you'll need to extend the schema to sfu. The other alternative (which I hate) is the rid backend: idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config SHORTDOMAIN:backend = rid idmap config SHORTDOMAIN:range = 500-4 It maps the uid:gid pair depending on the RID and stores the values in a second db. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo -i domain_username issue
On Mon, 2013-10-07 at 18:07 +0200, Alessio Tomelleri wrote: idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config SHORTDOMAIN:backend = ad idmap config SHORTDOMAIN:schema_mode = rfc2307 idmap config SHORTDOMAIN:range = 500-4 winbind nss info = rfc2307 Hi This configuration suggests that your rfc2307 attributes are stored in AD. Are you sure your users and groups have uidNumber and/or gidNumber attributes set under their respective DN's? If not, then winbind has nothing to retrieve for the getent command. Oh, and kill any nscd for the moment. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Should I forget sssd ?
On Tue, 2013-10-01 at 17:06 +1100, m...@electronico.nc wrote: Le 01/10/2013 16:44, steve a écrit : Hi It looks as though the ad backend is broken in 1.11.1. At least I can't get it going with a similar sssd.conf: https://lists.fedorahosted.org/pipermail/sssd-devel/2013-September/016892.html I rolled back to 1.10.0 and it's fine. Re: your question. If you can get away without having Linux clients in the domain, then yes, you can forget sssd entirely. HTH and good luck, Steve Ah !!! This makes sense to my life ( https://lists.fedorahosted.org/pipermail/sssd-devel/2013-September/016892.html ) ! I was wondering if I won't go back to sheeps and cows ;-) Will try sssd 1.10.0 ! (Yes Ubuntu host is actually the only Linux 'client' in the domain) Thanks again (posting 48 hours earlier would have save my soul during this time) Nicolas Hi The bug in 1.11.1 has been fixed by the Red Hat guys: [PATCH] AD: properly intitialize GC from ad_server option --- src/providers/ad/ad_common.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 700ac03..ab62d64 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -441,7 +441,7 @@ _ad_servers_init(TALLOC_CTX *mem_ctx, } sdata-gc = true; -ret = be_fo_add_server(bectx, fo_service, list[i], 0, sdata, primary); +ret = be_fo_add_server(bectx, fo_gc_service, list[i], 0, sdata, primary); if (ret ret != EEXIST) { DEBUG(SSSDBG_FATAL_FAILURE, (Failed to add server\n)); goto done; -- 1.7.7.6 HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Should I forget sssd ?
On Tue, 2013-10-01 at 15:48 +1100, m...@electronico.nc wrote: Hi again, Thanks again, Denis, Steve and Rowland for your previous answers about RFC2307 and winbind. Maybe I'm an dreamer but here is that I wanted to achieve : Ubuntu server 12.04.3, samba4 as PDC, several NICS : 1 LAN and 2/3 WANS Use a windows VM (on this server) to control AD through WRAT AD offers me the 'wishdom' of software deployment and GPO, users are can't install anything All standard Linux services (apache, postfix, dovecot, pptp, mysql, webmail, ...) can query AD What is done : I have setup 'folder redirection' in WRAT, so users 'documents' and 'desktop' are avalaible offline and mapped to home/%U on server AD Administrator has a roaming profile Searched a lot and succeed to deploy Office, Acrobat reader, Skype, 7-zip, Firefox to users (windows is another world...) Shares are mounted (depending on AD 'ou' rights) on user's pc Administrator can login via UltraVNC to all workstation What needs to be done: Linux services to auth to AD From what I've read, sssd is the more secure solution to achieve this, but ... Using sssd 1.11.1 : files configuration: 1) sudo cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = radiodjiido.nc [nss] [pam] [domain/radiodjiido.nc] dyndns_update = false ad_hostname = serveur.radiodjiido.nc ad_server = serveur.radiodjiido.nc ad_domain = radiodjiido.nc ldap_schema = ad id_provider = ad access_provider = simple enumerate = true cache_credentials = true auth_provider = krb5 chpass_provider = krb5 krb5_realm = RADIODJIIDO.NC krb5_server = serveur.radiodjiido.nc krb5_kpasswd = serveur.radiodjiido.nc #next line only lists users with uidNumber/gidNumber entered via ldbedit ldap_id_mapping = false ldap_referrals = false ldap_uri = ldap://serveur.radiodjiido.nc ldap_search_base = dc=radiodjiido,dc=nc ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_search_base = dc=radiodjiido,dc=nc ldap_group_name = cn ldap_group_member = member ldap_sasl_mech = gssapi #ldap_sasl_authid = serveur$ ldap_sasl_authid = serveur$@RADIODJIIDO.NC krb5_keytab = /etc/krb5.sssd.keytab ldap_krb5_init_creds = true Hi It looks as though the ad backend is broken in 1.11.1. At least I can't get it going with a similar sssd.conf: https://lists.fedorahosted.org/pipermail/sssd-devel/2013-September/016892.html I rolled back to 1.10.0 and it's fine. Re: your question. If you can get away without having Linux clients in the domain, then yes, you can forget sssd entirely. HTH and good luck, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On Sat, 2013-09-28 at 11:06 +1100, m...@electronico.nc wrote: Le 27/09/2013 20:36, steve a écrit : On Fri, 2013-09-27 at 19:09 +1100, m...@electronico.nc wrote: Hi all, (Trying to connect squid, postfix, dovecot, pptp, etc ... to AD) Samba 4.0.9, as PDC, on Ubuntu 12.04.3 server. Compiled with : ./configure --enable-debug --enable-selftest Domain provision : /usr/local/samba/bin/samba-tool domain provision Despite my reads and tries, I'm unable to list the AD users from Linux. /usr/local/samba/bin/wbinfo -t /usr/local/samba/bin/wbinfo -u /usr/local/samba/bin/wbinfo -g are OK but : getent passwd only lists Linux users. AD works OK and lot of work has been done onto. If the rfc2307 option if required during domain provision, can I launch it without loosing the whole AD configuration ? Hi No. You don't need to provision with rfc2307 to be able to use it. You simply need to add the rfc2307 attributes to the DN's of the users. e.g. use wbinfo to get the numbers: wbinfo -i steve2 HH3\steve2:*:321:20513::/home/HH3/steve2:/bin/false Now add: uidNumber: 321 gidNumber: 20513 to steve2 An easy way to do that is with ldbedit. If you have a lot of users, use a script and then add the attributes using ldbmodify. I'd recommend using nslcd or sssd so that getent will pull the information from AD. HTH Steve Thanks Denis and Steve for the answers. Without the rfc2307 domain provision, will I have to add manually uidNumber and guiNumber each time a new user is created from Windows Management Console ? If you want to use MMC then yes. But why not add new users and groups using samba-tool? With 4.1.0 rc's you can add the user along with all his rfc2307 from the command line. Thanks to : http://linuxcostablanca.blogspot.com/2013/04/sssd-build-on-opensuse.html http://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd I have been able to : getent passwd = But I have tried previousely to install sssd from repository, then from git ... I'll start over (thanks clonezilla ;-) ) and let you know. Nicolas If you want to run the AD backend with sssd, you'll need a minimum of version 1.10. If you're gonna build it, I'd recommend 1.11 which was released yesterday. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On Sat, 2013-09-28 at 09:11 +0100, Rowland Penny wrote: Just a thought, Because all the RFC2307 attributes are already in Samba4 AD, does this mean that we are actually running at domain level 2003 R2 ? and if so, shouldn't the documentation etc show this. Hi Good question. I've always wondered about that. The output suggets that we are running at 2003: samba-tool domain level show Domain and forest function level for domain 'DC=hh3,DC=site' Forest function level: (Windows) 2003 Domain function level: (Windows) 2003 Lowest function level of a DC: (Windows) 2008 R2 Yet I'm old enough to remember that the 2003 server did not have the rfc2307 schema. It was introduced when sfu shipped as standard with 2003R2. Those joining Samba4 to a 2003 domain will NOT be able to use the 2307 attributes but those joining a 2003-R2 or above can [1]. If that's the case, then the output of the domain level show command is incorrect as we can and do use all the rfc2307 attributes. I can see that the 2008 R2 schema which ships with Samba4 also includes the attributes. [1] I wonder if the 2012 AD schema has rfc2307? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mount.cifs and kerberos failure
On Sat, 2013-09-28 at 07:28 -0700, Cheng-Yang Tan wrote: Hi guys, This seems to be a well-known problem with mount.cifs on Ubuntu 12.04. Hi It's not a problem. It simply means that cifs.upcall doesn't know what key to use. mount.cifs -o sec=krb5,user=cytan,domain=ABCDE //beamssrv1.abcd.com/cytan$ ./win --verbose If you wish cytan to mount and access the share (not a good idea but anyway. . .) then cytan must have an entry in the keytab. The cifs mount is then performed as: mount -t cifs //beamssrv1.abcd.com/cytan\$ ./win -osec=krb5,username=cytan,domain=ABCDE note: username _not_ user and don't forget to escape the $. add the principal to the keytab on the client using ktutil: ktutil: addent -password -p cytan@ABCDE -k 1 -e arcfour-hmac the method is described here: http://linuxcostablanca.blogspot.com.es/2013/05/samba-3615-file-server-for-samba-406-ad.html It would be better not to use a regular user to mount the share but instead create an unprivileged domain user, e.g. cifsuser whos sole purpose is to mount the share. You can then mount it using the multiuser option if other users are required to use it. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On Sat, 2013-09-28 at 17:11 +0200, Marc Muehlfeld wrote: If you use the MMC, Hi. The op cannot use MMC. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On Sat, 2013-09-28 at 16:22 +0100, Rowland Penny wrote: On 28/09/13 16:11, Marc Muehlfeld wrote: Hello, Am 28.09.2013 10:11, schrieb Rowland Penny: Without the rfc2307 domain provision, will I have to add manually uidNumber and guiNumber each time a new user is created from Windows Management Console ? Even with RFC2307 domain provision, you will have to add the uidNumber gidNumber manually, as Steve says, you can do this with samba-tool, but YOU have to supply these numbers, they are not incremented automatically. If you use the MMC, the numbers are incremented automatically. You simply select the NIS domain in the Unix tab and it shows the last UID/GID + 1. So you don't have to track somewhere which was the last UID/GID you've set. Microsoft tracks this somewhere in the directory under System / RpcServices. Regards, Marc Well, yes you are probably right, but as I have never used the MMC to add a Linux user, I did not know this, so thanks for the heads up. Having said that, I still think it would be quicker to add a user via a script on the Linux server. Do you know where exactly where Microsoft tracks the uidNumber? Rowland Yeah, another good one. Samba4 provisioned without rfc2307 takes the next uid/gidNumber from the CN=CONFIG counter object in idmap.ldb, attribute: xidNumber If we set: idmap_ldb use:rfc2307 = Yes in smb.conf the counter does not update and is ignored. This entry is added if we provision with rfc2307 but it can be added to a provision without it whereupon it has the same effect. The counter stops. MMC introduces yet another way of guessing a uidNumber. I think the advice must be, choose one method and stick to it. They are not interchangeable. Rowlands RID script seems the most bulletproof to me. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Log in on Samba 4 AD DC using AD username
On Mon, 2013-09-23 at 09:55 -0600, jared.m.jacob...@l-3com.com wrote: https://wiki.samba.org/index.php/Local_user_management_and_authenticati on/sssd Usually, it's because you've forgotten to put the rfc2307 attributes in AD. Do you have a minimum of: uidNumber: gidNumber: for your users in AD? Here's our version of how to do it with sssd: http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On Fri, 2013-09-27 at 19:09 +1100, m...@electronico.nc wrote: Hi all, (Trying to connect squid, postfix, dovecot, pptp, etc ... to AD) Samba 4.0.9, as PDC, on Ubuntu 12.04.3 server. Compiled with : ./configure --enable-debug --enable-selftest Domain provision : /usr/local/samba/bin/samba-tool domain provision Despite my reads and tries, I'm unable to list the AD users from Linux. /usr/local/samba/bin/wbinfo -t /usr/local/samba/bin/wbinfo -u /usr/local/samba/bin/wbinfo -g are OK but : getent passwd only lists Linux users. AD works OK and lot of work has been done onto. If the rfc2307 option if required during domain provision, can I launch it without loosing the whole AD configuration ? Hi No. You don't need to provision with rfc2307 to be able to use it. You simply need to add the rfc2307 attributes to the DN's of the users. e.g. use wbinfo to get the numbers: wbinfo -i steve2 HH3\steve2:*:321:20513::/home/HH3/steve2:/bin/false Now add: uidNumber: 321 gidNumber: 20513 to steve2 An easy way to do that is with ldbedit. If you have a lot of users, use a script and then add the attributes using ldbmodify. I'd recommend using nslcd or sssd so that getent will pull the information from AD. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding RFC2307 attributes to an existing Win2003 AD domain?
On Fri, 2013-09-27 at 05:22 -0400, Thomas Harold wrote: Running Samba 4.0.9, we have added a pair of Samba4 domain controllers to an existing Win2003 domain. How do we determine whether RFC2037 attributes already exist in the domain? And how would we go about adding them to an already existing domain? To check whether a user has rfc2307 run: getent passwd username To check 100% he hasn't use ldbsearch and look for uidNumber, gidNumber attributes. To add them if they're not there: e.g. use wbinfo to get the numbers: wbinfo -i steve2 HH3\steve2:*:321:20513::/home/HH3/steve2:/bin/false Now add: uidNumber: 321 gidNumber: 20513 to steve2 in the directory. An easy way to do that is with ldbedit. If you have a lot of users, use a script and then add the attributes using ldbmodify. You can add the whole of the rfc2307 user and group attributes using the schema that comes with Samba4. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] default idmap range in samba4
On Thu, 2013-09-26 at 12:07 +0200, Stéphane PURNELLE wrote: I not found the solution and samba team seems to have other think to do :-( Hi Assuming you have a Samba4 AD. In Samba4 the default idmap range is set in idmap.ldb: dn: CN=CONFIG cn: CONFIG lowerBound: 300 upperBound: 400 xidNumber: 355 distinguishedName: CN=CONFIG This object holds the next free xidNumber which will correspond if you add a new user or group. However, I don't think that will be much use to you. If your aim is to have the same uidNumber:gidNumber for users on all DC's then I'd recommend storing the numbers in AD and using winbind, nss-ldapd or sssd to retrieve them _from AD_. If you go for the latter, you remove the need to know ranges completely. To bypass the idmap, set idmap_ldb use:rfc2307 = Yes in smb.conf and forget about the ranges. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] setting permissions for unix users on samba shares
On Tue, 2013-09-24 at 16:13 -0700, Robert Watson wrote: I'm trying to grant permissions for linux system users (apache,mysql...) to have permissions on samba shares. I've established domain users permissions while logged in as the domain admin and thought the SYSTEM account would cover these types of usersbut apparently not. Is there a built in linux group that maps to a windows domain group or do I have to establish this manually. Hi Not much to go on but you could: [global] username map = /some/place.txt [apache] path = /srv/www/wherever read only = yes write list = SomeDomainUser with place.txt containing: !apache = SomeDomainUser HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as DC Member
On Mon, 2013-09-23 at 15:51 +0800, kevint...@umac.mo wrote: Dear all, I have install Windows AD and Linux client PC. In Linux PC, I modify these file to allow AD user logon the Linux Client PC via LDAPS. - /etc/sssd/sssd.conf - /etc/krb5.conf - /etc/pam.d/system-auth-ac - /etc/pam.d/password-auth-ac - /etc/openldap/ldap.conf My Linux Client is: OS: CentOS 6.4, 64bit IP: 192.168.30.1/16 Thank you very much Kevin Tang Hi I think you want the client to be a file server no? try in [global] workgroup = MYDOMAIN security = ADS kerberos method = system keytab Make sure /etc/hosts has: 127.0.0.1 centos-client.mydomain.com centos-client localhost and that you can (at least) ping the 2008 box Then try to join the domain: net ads join -UAdministrator That may get you a little closer. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Log on to Samba 4 AD DC using domain user
On Mon, 2013-09-23 at 10:00 -0600, jared.m.jacob...@l-3com.com wrote: Hi, all, I am having trouble figuring out how to log on to a Samba 4 AD DC using any AD domain account. Has anyone had success doing this? If so, is there a guide somewhere? Hi Each domain user must have a uidNumber and a gidNumber to be able to authenticate to a Linux system such as Samba4. You can use winbind, nss-ldapd or sssd to do that. I'd recommend storing the numbers in AD and pulling them direct rather than a separate mapping. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldbedit syntax problem
Hi How do I ldbedit this dn? CN=*,OU=auto.users,ou=automount,DC=bar,DC=foo It's the * that I can't get. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldbedit syntax problem
On Sun, 2013-09-22 at 13:36 +0100, Rowland Penny wrote: On 22/09/13 13:04, steve wrote: Hi How do I ldbedit this dn? CN=*,OU=auto.users,ou=automount,DC=bar,DC=foo It's the * that I can't get. Cheers, Steve Hi Steve, how about 'ldbedit -e nano --url=ldap://server.bar.foo --kerberos=yes --krb5-ccache=/tmp/krb5cc_0 CN=*' and then search in the results for '*' Rowland Hi Rowland, hi everyone Yes, that works fine, thanks. The problem is that it loads the whole of the db into the editor. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] group share directory
On Sun, 2013-09-15 at 13:57 -0700, David Christensen wrote: but copying and moving didn't. How about a big hammer? cron: find /mnt/z/data -type f -exec chmod 777 {} \; as often as you think users may mv or cp. Try exec+ if they move a lot of files. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] automatically create users home directories samba 4.0.9
On Mon, 2013-09-16 at 13:55 +0200, Shaun Megaw wrote: I have tried to create a physical directory and then invoke : chmod 770 /home/Users/xlinuxd -R but this does not work either Try this first: samba-tool user delete xlinuxd The recreate it but with: --home-directory=\\mydomain\Users\xlinuxd When that doesn't work, try this too: I think you'll need to set the permissions. wbinfo -i xlinuxd then chown uidNumber:gidNumber /home/Users/xlinuxd chmod 755 /home/Users/xlinuxd In windows, it'll then appear as H:\ HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] group share directory
On Mon, 2013-09-16 at 09:58 -0700, David Christensen wrote: On 09/16/13 02:10, steve wrote: How about a big hammer? cron: find /mnt/z/data -type f -exec chmod 777 {} \; as often as you think users may mv or cp. Try exec+ if they move a lot of files. Thanks for the reply. :-) I would also need to do directories. Ignoring the group sticky bit, the desired mode is the same. So, I could lose the find and just chmod -R 0777. But, what about symbolic links? Or sockets, named pipes, block or character specials, etc.? Hmmm... Perhaps I need to forget about local access and settle for a Samba solution for regular files and directories only -- e.g. configure Samba to provide the needed functionality and then make Samba the only way into or out of GroupShare. David Hi It picks up directories too. It will be slow without the find. Just find all the files without 777. If it doesn't find any, it won't do anything: find / -type f ! -perm 777 For symlinks everyone here will tell you not to use smb.conf: follow symlinks = Yes wide links = Yes sockets and pipes, don't know. Cheers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Bind9 AD SDLZ driver failed to load
On Wed, 2013-09-11 at 11:32 -0400, Robert Millott wrote: I installed Bind9 on a new ubuntu 13.04 server using apt-get install bind9 and am trying to integrate AD into it. Bind starts fine and will resolve my domain and computer names, but when I add the line include /usr/local/samba/private/named.conf into /etc/bind/named.conf, Bind9 fails to start. Ho On Ubuntu, I think bind runs as user bind. Can bind read/get into to beable to read the dns partition at /sam.ldb.d, /dns and dns.keytab under /usr/local/samba/private? HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] group share directory
On Sat, 2013-09-14 at 23:42 -0700, David Christensen wrote: samba: I am attempting to set up a group share directory on Debian Wheezy where any user can create or place files and directories, and every other user has full access to those files and directories. The directory will be accessed both locally and via Samba. You have set access via posix acls. Does the share have inherit acls = Yes? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 upgradeprovision
On Fri, 2013-09-13 at 16:28 -0700, Robert Watson wrote: I have the latest samba4 4.2 git running on centos6.4 but when I originally provisioned it I didn't include the --use-rfc2307 for AD posix attributes. I'd like to map certain AD users to unix users so should I do a samba-tool upgradeprovision --use-rfc2307 to add this option? You only need to extend the schema if you want to use ADUC. If you're happy managing rfc2307 from the centos DC, then you're ready to go. For the git you have, you can use the new samba-tool user add which now has the ability to add rfc2307 attributes. samba-tool user add --help for the syntax details. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] BIND9_DLZ disallows ddns updates
Version 4.2.0pre1-GIT-20999fc openSUSE BIND9.9.3 Hi We're getting refusal of ddns updates using nsupdate from a client sending the updates from sssd: 2013-09-14T22:53:36.517230+02:00 hh16 named[11055]: samba_dlz: starting transaction on zone hh3.site 2013-09-14T22:53:36.522244+02:00 hh16 named[11055]: samba_dlz: disallowing update of signer=CATRAL\$\@HH3.SITE name=catral.hh3.site type=A error=insufficient access rights 2013-09-14T22:53:36.522283+02:00 hh16 named[11055]: client 192.168.1.21#40836/key CATRAL\$\@HH3.SITE: updating zone 'hh3.site/NONE': update failed: rejected by secure update (REFUSED) 2013-09-14T22:53:36.522310+02:00 hh16 named[11055]: samba_dlz: cancelling transaction on zone hh3.site CATRAL is a Linux client which is joined successfully to the domain. CATRAL$ is the machine key created in /etc/krb5.keytab when we joined the domain. /etc/named.conf options { directory /var/lib/named; managed-keys-directory /var/lib/named/dyn/; forwarders { 192.168.1.1; }; notify no; tkey-gssapi-keytab /usr/local/samba/private/dns.keytab; }; include /usr/local/samba/private/named.conf; It starts fine: 2013-09-14T23:12:39.763122+02:00 hh16 named[11513]: Loading 'AD DNS Zone' using driver dlopen 2013-09-14T23:12:40.165286+02:00 hh16 named[11513]: samba_dlz: started for DN DC=hh3,DC=site 2013-09-14T23:12:40.166355+02:00 hh16 named[11513]: samba_dlz: starting configure 2013-09-14T23:12:40.166993+02:00 hh16 named[11513]: samba_dlz: configured writeable zone '1.168.192.in-addr.arpa' 2013-09-14T23:12:40.168235+02:00 hh16 named[11513]: samba_dlz: configured writeable zone 'hh3.site' 2013-09-14T23:12:40.169545+02:00 hh16 named[11513]: samba_dlz: configured writeable zone '_msdcs.hh3.site' smb.conf: [global] workgroup = HH3 realm = HH3.SITE netbios name = HH16 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No What's missing? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and automount
On Fri, 2013-09-13 at 09:54 +0100, Rowland Penny wrote: On 13/09/13 09:34, steve wrote: Hi I re-read your post with all the info and found these: DEFAULT_MASTER_MAP_NAME=CN=auto.master,CN=HOME,CN=defaultMigrationContainer30,DC=hh3,DC=site SEARCH_BASE=CN=home,CN=defaultMigrationContainer30,DC=hh3,DC=site HOME home are MY domain, you need to set them to YOUR domain Hi Rowland Yeah, I was being spectacularly thick yesterday. I gave up with the /etc/sysconfig/autofs approach and went for sssd instead. I sensed that this was gonna be a lot simpler with sssd. Thanks for your guidance with the schema. I've put the details and the maps converted for AD here: http://linuxcostablanca.blogspot.com.es/2013/09/samba4-autofs.html HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sharing files while being member of an active directory
On Thu, 2013-09-12 at 02:10 +0200, Mikkel Christensen wrote: Hi Greg You give almost no information about what's wrong or the details. I think, when you take my question into consideration, that i provided plenty of information. But i shall try to get a little bit more into the details. Did your install go flawlessly, and the new Samba box joined the domain fine? As i said in the first mail, wbinfo -u and wbinfo -g works … so yes the install was flawless and the join procedure worked very well. What Windows clients, Win7, XP, Vista, Win8, Win95? Windows Server 2012 Are the windows clients members of the domain? Yes of course What is holding the domain, a Samba server or Windows? What functional level is the domain? (AD 2000, AD 2008R2 etc) Windows 2008R2 It's not clear to me, you're sharing files from the Samba4 box? It's pretty clear when you look at the referred guide: https://wiki.samba.org/index.php/Samba4/Domain_Member Could you reproduce your smb.conf? Yes … it's in the guide as well: https://wiki.samba.org/index.php/Samba4/Domain_Member I'm probably not the guy who can help best, but no-one will have the least idea where to start with what you've *not* provided in terms of details. Thanks for your insight, but i expect the correct answer to be You are following the wrong guide, go here: http://something.com/blah; :-) Anyway i hope these further details may help others help me … :-) /Mike Hi As you've followed the guide, you will have: 'Users/groups having a uidNumber/gidNumber set in AD. . .'. The only other thing I can think of is the permissions on: /srv/samba/test kinit mik...@mikjaer.com smbclient //fileserver/test -Umikkel As a separate test, then from a root account, su to mikkel on the fileserver and migrate to the share. You'll have also tested rfc2307 as per the guide, but what does: getent passwd mikkel give? Something to try. . . HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 automount schema: convert from flat files to LDAP
On Mon, 2013-09-09 at 15:00 +0200, steve wrote: Hi I think I've managed to get the automount classes into the the schema: ldbsearch --url=/usr/local/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=HH3,DC=SITE.ldb | grep dn: CN=automount dn: CN=automountKey,CN=Schema,CN=Configuration,DC=hh3,DC=site dn: CN=automount,CN=Schema,CN=Configuration,DC=hh3,DC=site dn: CN=automountInformation,CN=Schema,CN=Configuration,DC=hh3,DC=site dn: CN=automountMapName,CN=Schema,CN=Configuration,DC=hh3,DC=site dn: CN=automountMap,CN=Schema,CN=Configuration,DC=hh3,DC=site 1. Samba fires up fine. Does that look about right? 2. I now have to convert the following files to LDAP syntax: /etc/auto.master /home/users /etc/auto.users and: /etc/auto.users * -fstype=cifs,sec=krb5,username=cifsuser,multiuser ://altea/users/ There's so much unreadable stuff out there. Do we have anything followable for this? Can anyone point me in the right direction? Cheers, Steve Hi again Really struggling with this. I've translated the flat files to this: dn: automountmapname=auto.master,dc=hh3,dc=site automountMapName: auto.master objectClass: automountMapobjectClass: top instanceType: 4 dn: automountKey=/home/users,automountmapname=auto.master,dc=hh3,dc=site automountInformation: auto.users automountKey: /home/users objectClass: top objectClass: automount dn: automountmapname=auto.users,dc=hh3,dc=site automountMapName: auto.users objectClass: automountMap objectClass: top dn: automountKey=*,automountmapname=auto.users,dc=hh3,dc=site automountInformation: -fstype=cifs,sec=krb5,username=cifsuser,multiuser ://altea/users/ automountKey: * objectClass: top objectClass: automount It will not accept the automountMapName atribute when trying to add it with ldbadd. However, in this post: https://lists.samba.org/archive/samba/2013-January/170907.html it seems I'm not allowed to have either the automountMapName nor automountKey attributes. How do I do this without those attributes? There's a wiki item here: https://wiki.samba.org/index.php/Samba4/Schema_extenstions which I used to extend the schema. It doesn't work as it stands but at least I seem to have got the stuff into AD now. Is there anyone who has managed to: 1. Extend the schema to include automounter maps? 2. Constructed automount maps in AD? Any help most grateful. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 automount schema: convert from flat files to LDAP
Hi I think I've managed to get the automount classes into the the schema: ldbsearch --url=/usr/local/samba/private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=HH3,DC=SITE.ldb | grep dn: CN=automount dn: CN=automountKey,CN=Schema,CN=Configuration,DC=hh3,DC=site dn: CN=automount,CN=Schema,CN=Configuration,DC=hh3,DC=site dn: CN=automountInformation,CN=Schema,CN=Configuration,DC=hh3,DC=site dn: CN=automountMapName,CN=Schema,CN=Configuration,DC=hh3,DC=site dn: CN=automountMap,CN=Schema,CN=Configuration,DC=hh3,DC=site 1. Samba fires up fine. Does that look about right? 2. I now have to convert the following files to LDAP syntax: /etc/auto.master /home/users /etc/auto.users and: /etc/auto.users * -fstype=cifs,sec=krb5,username=cifsuser,multiuser ://altea/users/ There's so much unreadable stuff out there. Do we have anything followable for this? Can anyone point me in the right direction? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4/Windows DNS replication and administration issue
On Thu, 2013-09-05 at 20:39 -0700, Pete Storkey wrote: I have tried manually recreating dns.keytab: # samba-tool domain exportkeytab --principal=DNS/server.domain.com /var/lib/samba/private/dns.keytab # samba-tool domain exportkeytab --principal=DNS/windowsserver.domain.com /var/lib/samba/private/dns.keytab That syntax seems wrong. # samba-tool domain exportkeytab /path/to/dns.keytab --principal=server1.your.domain The contents of dns.keytab are as follows: # ktutil ktutil: read_kt /var/lib/samba/private/dns.keytab ktutil: list slot KVNO Principal - 11 DNS/server.domain@domain.com 21 DNS/server.domain@domain.com 31 DNS/server.domain@domain.com 4 31 DNS/windowsserver.domain@domain.com 5 31 DNS/windowsserver.domain@domain.com 6 31 DNS/windowsserver.domain@domain.com 7 31 DNS/windowsserver.domain@domain.com The problem persists after recreating dns.keytab and restarting Samba and Bind daemons. Is this the correct way to generate the dns.keytab? Is there anything I'm missing? Maybe you didn't recreate the keytab? Look for the timestamp: klist -kte /path/to/dns.keytab The only difference I can see with our keytab is that we have: DNS/fqdn@REALM and short-hostname@REALM Maybe this isn't a keytab issue? HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] How do I lock a shared file?
4.0.9 as a file server Hi We have a rw folder where we can share files. If a user opens a file, I would like it to be locked so the other users can't open and edit it at the same time. Is this possible? Here is the share with its acl: [privado] path = /home/privado read only = No inherit acls = Yes getfacl /home/privado getfacl: Removing leading '/' from absolute path names # file: home/privado # owner: root # group: Domain\040Users user::rwx group::rwx other::r-x default:user::rwx default:group::rwx default:other::--- Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How do I lock a shared file?
On Thu, 2013-09-05 at 11:51 +0200, Volker Lendecke wrote: On Thu, Sep 05, 2013 at 10:30:56AM +0200, steve wrote: 4.0.9 as a file server Hi We have a rw folder where we can share files. If a user opens a file, I would like it to be locked so the other users can't open and edit it at the same time. Is this possible? Open the file with a smb client with value 0 for the sharing argument. This will block access for other SMB clients. Volker Hi Could you give me pointer as to how to do that? Is it an option in smb.conf? Surely, we would want to do this with all files on a network no? I noticed that LibreOffice does it by producing a lock file. Is there anything in Samba that will do that with all files, not just office? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How do I lock a shared file?
On Thu, 2013-09-05 at 13:34 +0200, Volker Lendecke wrote: On Thu, Sep 05, 2013 at 01:23:14PM +0200, steve wrote: On Thu, 2013-09-05 at 11:51 +0200, Volker Lendecke wrote: On Thu, Sep 05, 2013 at 10:30:56AM +0200, steve wrote: 4.0.9 as a file server Hi We have a rw folder where we can share files. If a user opens a file, I would like it to be locked so the other users can't open and edit it at the same time. Is this possible? Open the file with a smb client with value 0 for the sharing argument. This will block access for other SMB clients. Volker Hi Could you give me pointer as to how to do that? Is it an option in smb.conf? Surely, we would want to do this with all files on a network no? I noticed that LibreOffice does it by producing a lock file. Is there anything in Samba that will do that with all files, not just office? This is a feature of the SMB protocol that a client can explicitly request. It's called share modes. There is no option where you can enable this for all open files. This would not make sense, as very often a single client opens a file more than once simultaneously. What is your exact use case for this feature? School classes often have projects with files that many students will need to edit. We are surprised that there is no way for a user to find out if a file is already open. It causes chaos for us unless we do all our work in LibreOffice. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How do I lock a shared file?
On Thu, 2013-09-05 at 14:14 +0200, Volker Lendecke wrote: On Thu, Sep 05, 2013 at 02:08:27PM +0200, steve wrote: This is a feature of the SMB protocol that a client can explicitly request. It's called share modes. There is no option where you can enable this for all open files. This would not make sense, as very often a single client opens a file more than once simultaneously. What is your exact use case for this feature? School classes often have projects with files that many students will need to edit. We are surprised that there is no way for a user to find out if a file is already open. It causes chaos for us unless we do all our work in LibreOffice. Your clients are Linux? A mix of Linux, xp and 7. Well, indeed there is no good support for locking files across applications. If your clients are Windows then that should work fine, Windows traditionally was better at that. No, it doesn't seem to work for us. Anyone can open e.g. a txt file with notepad or anything else, simultaneously. Between any combination of client. Linux programs like vim do it on their own, like many editors do. But many programs don't do that well. That's why version control systems like git and all the other ones exist. Certainly overkill for 6-year-olds, but it allows more parallel work. Also, nobody forces applications to keep files open while they are edited. For example even some Windows native editor (I don't remember which) loads files into memory and closes the file until saving. It's a pity that we'll have to work around it. Surely Samba knows if a file is open or not doesn't it? What's all this oplock stuff? It would be useful if we could have an option for smb.conf like: lock open files = Yes I realise that it's not for everybody. Would that be hard to implement? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How do I lock a shared file?
On Thu, 2013-09-05 at 14:40 +0200, Helmut Hullen wrote: Hallo, steve, Du meintest am 05.09.13: School classes often have projects with files that many students will need to edit. [...] Also, nobody forces applications to keep files open while they are edited. For example even some Windows native editor (I don't remember which) loads files into memory and closes the file until saving. It's a pity that we'll have to work around it. Surely Samba knows if a file is open or not doesn't it? What's all this oplock stuff? It would be useful if we could have an option for smb.conf like: lock open files = Yes I realise that it's not for everybody. Would that be hard to implement? Perhaps you need another tool than a text editor which is designed for one man (m/f), one work. I'd test some wikis for such a job. But then still there is the problem with two pupils (or other persons) one filling the document and the other deleting word for word. Programmers for data bases know this problem ... And just for demonstration: group all pupils around the whiteboard or blackboard in the class room, let them create and edit one text on this board, everybody with a piece of chalk and a wiping cloth. Hi Yeah, the lesson plan is a good idea! LibreOffice locks files as you'd expect:) Nothing else works though. I'm amazed that no one else has encountered this before. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] primary GID based access for user in 16 supplementary groups
On Thu, 2013-09-05 at 19:45 +0100, Tris Mabbs wrote: 5. Are you *absolutely* sure that your idmap back-ends are doing what you thought? Here's another few cents: What you are describing is almost certainly mismatched gidNumbers. Depending on where the SID to GID mapping came from it will be different. Most certainly not what you want. So: Avoid anything other than the ad backend like the plague. Add gidNumber to the DN of the group and uidNumber and gidNumber to the DN of the user. Use sssd to pull that info from AD on _anything_ unix be it the DC, the file server or a solaris/linux client. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How do I lock a shared file?
On Thu, 2013-09-05 at 10:25 -0700, Jeremy Allison wrote: On Thu, Sep 05, 2013 at 06:25:15PM +0200, steve wrote: Hi Yeah, the lesson plan is a good idea! LibreOffice locks files as you'd expect:) Nothing else works though. I'm amazed that no one else has encountered this before. Every content management service software product is based on the fact that people encounter this every day :-). Yeah, scary. I'd forgotten that people did something with computers after we'd installed Samba on them! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 - nslcd setup on Debian
On Wed, 2013-09-04 at 17:53 +0100, Chris Alavoine wrote: Hi folks, Have been battling with this for a while. I have a Debian 6/Samba 4 install working nicely. Have migrated my old Samba 3 domain and can see all users/groups via AD management tools fine. I am now trying to get the *nix side sorted. Have followed the guide here: https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd Which works up to a point. All users and groups and visible with getent etc, but any new user that are created are not seen. Any existing user/group updates are reflected but if I create a new user and then do getent group | grep user I get nothing, same with id -Gn user or groups user. If I do: samba-tool user list | grep user The user is found and I can see it using RSAT tools from a Windows Server 2008 R2 box. Any suggestions? Your old users had rfc2307 attributes but your new ones do not. When you create the new user, you have to give him rfc2307 attributes such as uidNumber and gidNumber. In later releases, you can use samba-tool to do this. Otherwise you can use ldbedit or ldbmodify. I doubt whether your debian install is recent enough. There are scripts here: http://linuxcostablanca.blogspot.com.es/p/s4bind.html I'd recommend building from source. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd looking for non existent files
On Sun, 2013-08-25 at 12:37 +0200, Michael Wood wrote: On 24 August 2013 22:39, steve st...@steve-ss.com wrote: On Sat, 2013-08-24 at 20:57 +0200, Michael Wood wrote: Hi On 24 August 2013 19:05, steve st...@steve-ss.com wrote: Hi 4.0.8 file server in a 4.0.8 domain After a user logs in on a Linux client which is joined to the domain, smbd is constantly looking for files which don't exist: smbd has no reason to look for those files unless the client asks for them. I suspect you just need to turn down the debug level a bit. Here is the file server log after a user login to a Linux client has settled down: [2013/08/24 18:43:24.748511, 3] ../source3/smbd/vfs.c:1140(check_reduced_name) check_reduced_name [steve2/.icons/gnome] [/home/users] [...] Hi But if I turn the log level down, it's only at 3, that doesn't stop it looking. Does it? No, of course not. As you say, steve2/.icons/gnome must be coming from the Linux client. Would it be correct to eliminate samba from this issue? My fear is that scaling this up by replacing windows boxes with Linux is going to grind the whole thing to a halt. Since it's the client asking for those files, this will be no different if you were running a Windows server. Except that the windows server will not log all the file not found messages. Watching tail -f log.smbd is scary. Then turn down the log level! :) Turn it up again if you're having problems, of course, but this just looks like normal stuff that you should not need to worry about. Hi The problem is that each Linux client adds 0.7% to smbd. That's a constant load. I realise it's not a Samba issue. I'll have to either switch to another DE or revert the Linux boxes to xp. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd looking for non existent files
On Mon, 2013-09-02 at 23:02 +0200, Michael Wood wrote: Is the load the same even if you turn down the logging? Yes, but don't rely on the 0.7%. It's a constant load but not exact. I'm getting the figures by running 'top'. e.g. 18 clients produce a constant load of 16%. I can see where you're coming from. If I log to the file rather than tail -f in real time it's a bit better, but you need a lot of clients to be able to notice it. I've started replacing LXDE with KDE. It's slower, but we'll be able to have all the clients connected at once. I've also tried asking on my distro list. Nada. Hi The problem is that each Linux client adds 0.7% to smbd. That's a constant load. I realise it's not a Samba issue. I'll have to either switch to another DE or revert the Linux boxes to xp. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Not Obeying require_membership_of winbind.so when User must change password at next logon
On Thu, 2013-08-22 at 11:49 +, Jason Caylor wrote: Okay, so I have an Active Directory server running on Windows Server 2012 Standard I have configured Samba/Kerberos/Winbind on Ubuntu 13.04 to bind to the DC properly. I am able to login with my Active Directory users credentials. When I use the 'require_membership_of' option in pam.d/common-auth for winbind.so using the SID of the group I want to restrict access to, it works like a charm. Hi Say the group with that SID is mygroup. Does: getent group mygroup return a gidNumber? If so, then: Put only the users you want. Then common-account: account requiredpam_succeed_if.so user ingroup mygroup man pam_succeed_if BTW, I'd strongly advise changing to the ad backend. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Not Obeying require_membership_of winbind.so when User must change password at next logon
On Sun, 2013-09-01 at 09:56 +0200, steve wrote: On Thu, 2013-08-22 at 11:49 +, Jason Caylor wrote: Okay, so I have an Active Directory server running on Windows Server 2012 Standard I have configured Samba/Kerberos/Winbind on Ubuntu 13.04 to bind to the DC properly. I am able to login with my Active Directory users credentials. When I use the 'require_membership_of' option in pam.d/common-auth for winbind.so using the SID of the group I want to restrict access to, it works like a charm. Hi Say the group with that SID is mygroup. Does: getent group mygroup return a gidNumber? If so, then: Put only the users you want. Then common-account: account requiredpam_succeed_if.so user ingroup mygroup man pam_succeed_if BTW, I'd strongly advise changing to the ad backend. HTH Steve Hi Sorry, I'm not answering the question. These are not fixes, rather 'something else to try', things. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 00:14 +0200, Luca Olivetti wrote: Al 30/08/13 23:44, En/na steve ha escrit: Interesting point; you've now sampled winbind, nslcd and sssd to the same end. Have you made a decision as to which you'll be going with? Well, the real deployment will take some time (measured in months rather than weeks), I have a lot more to learn and I'm busy with other things. I'm not still 100% convinced that I need to migrate from samba 3 to samba 4, and once I am I have to explain it to my boss. Anyway I think I'll go with sssd, my unscientific tests (time getent, time id) tell me it's an order of magnitude faster than nslcd (both for uncached and cached data). winbindI don't like it, for no particular reason. It also seems to be the slowest of the pack. One site we run has 600 users all with rfc2307. The only way we can getent the whole list is with sssd. I know it's a false test as I don't suppose you'd ever need to do it, but with enumeration, winbind grinds to around one user per minute after it's done around 200. Of course, those blessed with modern hardware need only toss a 3 way coin. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 11:47 +0200, Marc Muehlfeld wrote: Am 31.08.2013 00:14, schrieb Luca Olivetti: I'm not still 100% convinced that I need to migrate from samba 3 to samba 4, and once I am I have to explain it to my boss. Samba 4 != AD only Hi I think the OP realises that. His main concern and problem was the usual confusion with winbind and the mystery surrounding rfc2307 and it's representation in and out of of AD. In this thread, we've thrashed the merits of winbind, nslcd and sssd to hell and soon thanks to your good self, we'll have readable howtos on all three. Let's see if that serves to relieve the never ending series of posts highlighting the lack of reliable, up to date and dare I say it plain English and readable explanations of at least how to get started. I feel we've made progress. Next time a winbind problem gets posted, we'll be able to refer to 3 democratically produced howtos. Thanks to Marc for listening to us and inviting us in on hos howtos, Luca his patience in hearing us out 'till EOT and to Rowland for keeping me sane. OpenSource at it's best. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 17:25 +0200, Luca Olivetti wrote: Al 31/08/13 15:23, En/na steve ha escrit: I feel we've made progress. Next time a winbind problem gets posted, we'll be able to refer to 3 democratically produced howtos. Thanks to Marc for listening to us and inviting us in on hos howtos, Luca his patience in hearing us out 'till EOT and to Rowland for keeping me sane. OpenSource at it's best. An update on sssd+gssapi: I setup a client VM where I copied the keytab and the sssd.conf of the server. I got the same 'Server not found in Kerberos database' error. I tried many things (adding the client address in samba 4 dns, install samba 3 on the client and trying to join the domain, which, btw, I didn't manage to do, trying to follow the instructions here https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server, again, unsuccessfully, etc.). What seems to have solved the problem has been setting the hostname to a simple name without domain, e.g. changing it from cliente.wetron.es to cliente. I really have to study this kerberos thingie ;-) Hi It doesn't work here either. The only way we can get it to authenicate or join the domain is to add: I.P.ADD.RRESS f.q.d.n short-hostname of the DC to /etc/hosts Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 17:53 +0200, steve wrote: On Sat, 2013-08-31 at 17:25 +0200, Luca Olivetti wrote: Al 31/08/13 15:23, En/na steve ha escrit: I feel we've made progress. Next time a winbind problem gets posted, we'll be able to refer to 3 democratically produced howtos. Thanks to Marc for listening to us and inviting us in on hos howtos, Luca his patience in hearing us out 'till EOT and to Rowland for keeping me sane. OpenSource at it's best. An update on sssd+gssapi: I setup a client VM where I copied the keytab and the sssd.conf of the server. I got the same 'Server not found in Kerberos database' error. I tried many things (adding the client address in samba 4 dns, install samba 3 on the client and trying to join the domain, which, btw, I didn't manage to do, trying to follow the instructions here https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server, again, unsuccessfully, etc.). What seems to have solved the problem has been setting the hostname to a simple name without domain, e.g. changing it from cliente.wetron.es to cliente. I really have to study this kerberos thingie ;-) Hi It doesn't work here either. The only way we can get it to authenicate or join the domain is to add: I.P.ADD.RRESS f.q.d.n short-hostname of the DC to /etc/hosts Steve Oh, and: 127.0.0.1 localhost f.q.d.n 127.0.0.1 short-hostname -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 20:17 +0200, Luca Olivetti wrote: Al 31/08/13 18:00, En/na steve ha escrit: Hi It doesn't work here either. The only way we can get it to authenicate or join the domain is to add: I.P.ADD.RRESS f.q.d.n short-hostname of the DC to /etc/hosts Steve Oh, and: 127.0.0.1 localhost f.q.d.n 127.0.0.1 short-hostname That last bit did it (the I.P.ADD.RRESS f.q.d.n short-hostname was already there, one of those previous failed attempts): [root@cliente luca]# net ads join -U Administrator Enter Administrator's password: Using short domain name -- WETRON Joined 'CLIENTE' to dns domain 'wetron.es' No DNS domain configured for cliente. Unable to perform DNS Update. DNS update failed! Why is it necessary? I think you may have had /etc/hostname with the fqdn, whereas it _should_ only have the hostname. IOW: You have to have hostname -s return _just_ the hostname _without_ the domain. And: hostname -f return the fqdn I understand that you now have the domain join and sssd auth from the keytab without either the DNS update nor the something not found errors? Dare I mention that it is really nice with sssd v1.10 and above as it gives us dynamic dns updates on the fly for Linux clients, just like windows. Pero no digas nada a nadie lol. Salu2, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 00:34 +0200, Luca Olivetti wrote: Al 29/08/13 21:54, En/na Rowland Penny ha escrit: Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf to ldap, so I thought your suggestion was working while it actually wasn't (same error with Administrator as with HP$). Bye Hi, I am replying to you on list, could you please post your sssd.conf and what version of sssd you are using, also what is your OS OK, now I got sssd working *but* without kerberos. Hi I'm not sure what you want. Is this now EOT or do you want to go on and debug to get gssapi? If you wish to go on: samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=nslcd-connect (You may already have this from your nslcd config) Kill all nslcd processes. ldap_sasl_mech = gssapi ldap_sasl_authid = nslcd-connect ldap_krb5_keytab = /etc/krb5.sssd.keytab To get full benefit from sssd I'd recommend the latest version which has a proper AD backend. e.g. sssd version 1.11.1 gives you id and getent without requiring the posixAccount objectClass. 1.11.1 is available here: https://fedorahosted.org/released/sssd/sssd-1.11.0.tar.gz Salu2 y suerte, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 file-server usage
On Fri, 2013-08-30 at 11:25 +0200, Stéphane PURNELLE wrote: Hi, I test samba 4 for AD authentification and file-server usage. My file-server use posix ACL (XFS filesystem) for manage acces between user. So I must use some trick (steve posix-tify script) for adding posixAccount to activedirectory tree. You do not need to add posixAccount. For recent versions of Samba4: samba-tool user add stephane --uid-number=322 gid-number=20513 home-directory=/some/place lofin-shell=/bin/sh You only need the hack for old versions of Samba. We use a Samba 4.0.9 file server for a mix of about 80 xp and LXDE clients over cifs. It server profiles, home folders and loads of other rubbish. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] front end for samba-tool user
Does anyone have a fill in the boxes type form to the new samba-tool user add? Under Linux? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 18:58 +0100, Rowland Penny wrote: On 30/08/13 18:21, Luca Olivetti wrote: Al 30/08/13 18:54, En/na steve ha escrit: Bueno, a ver: We can say for certain that /etc/krb5.keytab contains the key for nslcd-connect make sure you have: ldap_sasl_mech = gssapi ldap_sasl_authid = nslcd-conn...@wetron.es ldap_krb5_keytab = /etc/krb5.keytab (note, I think you had a different keytab in an older post. Lose it.) Done Next, can you resolve the kerberos SRV record: host -t SRV _kerberos._udp.dc1.wetron.es. It doesn't resolve, but _kerberos._udp.wetron.es. does _kerberos._udp.wetron.es has SRV record 0 100 88 hp.wetron.es. What do you have for /etc/krb5.conf [libdefaults] default_realm = WETRON.ES dns_lookup_realm = true dns_lookup_kdc = true [realms] WETRON.ES = { kdc = 192.168.4.101 admin_server = 192.168.4.101 } What does: sssd --version give? 1.9.4 In case it matters, sasl is 2.1.25, and I have the relevant plugins installed: # rpm -qa *sasl* lib64sasl2-plug-sasldb-2.1.25-12.mga3 lib64sasl2-2.1.25-12.mga3 cyrus-sasl-2.1.25-12.mga3 lib64sasl2-plug-login-2.1.25-12.mga3 lib64sasl2-plug-plain-2.1.25-12.mga3 lib64sasl2-plug-ldapdb-2.1.25-12.mga3 lib64sasl2-plug-gssapi-2.1.25-12.mga3 lib64sasl2-devel-2.1.25-12.mga3 Bye Hi, How about this for an idea, get the OP to create a VM on Mageia, install Ubuntu 12.04 or Centos 6.4 in it and then compile samba 4 on the VM. Then setup winbind or nslcd or sssd on it, once this is working the OP can work out to get the setup to run on Mageia himself. RFowlanf Yep. +1 for the Ubuntu vm. We go for a git master because you can add rfc2307 via samba-tool. Aim: To produce a Samba4 stand alone DC with a single user. getent passwd user returns his rfc2307 from the directory. Any takers? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 22:28 +0200, Luca Olivetti wrote: Al 30/08/13 22:18, En/na Rowland Penny ha escrit: I take it that everything is now working ok and you can see all your users, if so, I suggest you write up how you did it and get it published somewhere. Hi That's a good idea. Often, when we've been in production for while without errors, we lose sight of what it was like at the beginning. If there's anything here or in my sssd howto you would change it would be great if you could let us have it as a real user who isn't averse to getting his hands dirty. It's always best when it's still fresh in your mind. Actually both the configuration proposed by steve and yours were OK. The only problem was the hostname mismatch (causing the server not found in kerberos database error) and then a faulty cyrus-sasl library. I already filed a bug against the cyrus-sasl library in mageia. Thank you again. Interesting point; you've now sampled winbind, nslcd and sssd to the same end. Have you made a decision as to which you'll be going with? Que pases un buen finde. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 19:30 +0200, Luca Olivetti wrote: Al 30/08/13 19:00, En/na Rowland Penny ha escrit: The above was taken from: https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Red_Hat_Enterprise_Linux_or_CentOS Yes, I read the wiki before starting, I have all the dependencies installed Check that you have all the above installed and if not, install what ever is missing and recompile samba 4 Also, it may help if you try another OS, no disrespect, but Mageia is not really what I would call a server distro and is probably not used by many people to run samba 4 on, so you will struggle to get precise help here (ducks as thousands of people reply saying I use Mageia ;-) ) Thank you, but I will do with generic help, I can perform the necessary translations. I tried other distributions and I found them lacking (probably because I'm just used to mageia), usually the server packages in mageia (and mandriva before it) have been top notch, samba 4 is not packaged (yet) but it will be soon. Just thinking out loud but there have been problems with nslcd and I think winbind too before this. I don't know if this be possible and I know that the devs would frown upon it, but maybe we've reached the time for a rebuild over bare metal. Rowlands suggestion of a recompile gets a +1 from me. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 17:45 +0100, Rowland Penny wrote: Hi Steve, lets just get something to work for the OP first. Agreed. It seems we now at least have a keytab that we can use for certain. Pls see my interim post. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 19:44 +0100, Rowland Penny wrote: On 30/08/13 19:14, steve wrote: On Fri, 2013-08-30 at 18:58 +0100, Rowland Penny wrote: On 30/08/13 18:21, Luca Olivetti wrote: Al 30/08/13 18:54, En/na steve ha escrit: Bueno, a ver: We can say for certain that /etc/krb5.keytab contains the key for nslcd-connect make sure you have: ldap_sasl_mech = gssapi ldap_sasl_authid = nslcd-conn...@wetron.es ldap_krb5_keytab = /etc/krb5.keytab (note, I think you had a different keytab in an older post. Lose it.) Done Next, can you resolve the kerberos SRV record: host -t SRV _kerberos._udp.dc1.wetron.es. It doesn't resolve, but _kerberos._udp.wetron.es. does _kerberos._udp.wetron.es has SRV record 0 100 88 hp.wetron.es. What do you have for /etc/krb5.conf [libdefaults] default_realm = WETRON.ES dns_lookup_realm = true dns_lookup_kdc = true [realms] WETRON.ES = { kdc = 192.168.4.101 admin_server = 192.168.4.101 } What does: sssd --version give? 1.9.4 In case it matters, sasl is 2.1.25, and I have the relevant plugins installed: # rpm -qa *sasl* lib64sasl2-plug-sasldb-2.1.25-12.mga3 lib64sasl2-2.1.25-12.mga3 cyrus-sasl-2.1.25-12.mga3 lib64sasl2-plug-login-2.1.25-12.mga3 lib64sasl2-plug-plain-2.1.25-12.mga3 lib64sasl2-plug-ldapdb-2.1.25-12.mga3 lib64sasl2-plug-gssapi-2.1.25-12.mga3 lib64sasl2-devel-2.1.25-12.mga3 Bye Hi, How about this for an idea, get the OP to create a VM on Mageia, install Ubuntu 12.04 or Centos 6.4 in it and then compile samba 4 on the VM. Then setup winbind or nslcd or sssd on it, once this is working the OP can work out to get the setup to run on Mageia himself. RFowlanf Yep. +1 for the Ubuntu vm. We go for a git master because you can add rfc2307 via samba-tool. Aim: To produce a Samba4 stand alone DC with a single user. getent passwd user returns his rfc2307 from the directory. Any takers? Steve Hi Steve, the idea was for the OP to create the VM and we could talk him through setting up samba 4 on it. I think that he may just be the only person in the world that is trying to use Mageia for samba 4, so we need to show him how to setup samba 4 on a main stream distro, this should then help him to work out where he is going wrong with his setup. Rowland Yep. Let me know if I can help. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 20:45 +0200, Luca Olivetti wrote: Casi, casi... Bueno. Algo es algo, pero todavía nos falta los atributos procedentes de AD. Saludos, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 19:21 +0200, Luca Olivetti wrote: Al 30/08/13 18:54, En/na steve ha escrit: Bueno, a ver: We can say for certain that /etc/krb5.keytab contains the key for nslcd-connect make sure you have: ldap_sasl_mech = gssapi ldap_sasl_authid = nslcd-conn...@wetron.es ldap_krb5_keytab = /etc/krb5.keytab (note, I think you had a different keytab in an older post. Lose it.) Done Next, can you resolve the kerberos SRV record: host -t SRV _kerberos._udp.dc1.wetron.es. It doesn't resolve, but _kerberos._udp.wetron.es. does _kerberos._udp.wetron.es has SRV record 0 100 88 hp.wetron.es. That's good. Sorry, I didn't know your domain or hostnames What do you have for /etc/krb5.conf [libdefaults] default_realm = WETRON.ES dns_lookup_realm = true dns_lookup_kdc = true Remove the [realms] section and change: dns_lookup_realm = false (I'm assuming that this is a single DC) I also have: cyrus-sasl-32bit Now go through everything in the thread, clear everything in /var/lib/sss/db/* and restart sssd. Make sure that nscd is not running. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 21:53 +0200, Luca Olivetti wrote: http://www.spinics.net/lists/cyrus-sasl/msg02004.html I'll try to build a version with the fix Suerte. Good luck. ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.26.tar.gz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote: On 30/08/13 15:48, Luca Olivetti wrote: Al 30/08/13 11:41, En/na Rowland Penny ha escrit: OK, try this sssd.conf that I have altered for your setup, it is based on the sssd.conf on the machine that I am typing this on and it works, you just need the krb5.keytab that I told you how to create earlier. That was /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator Hi This command dumps the _whole_ of the database to the keytab, so you must choose which key you are going to use for: ldap_sasl_authid If you really do need al the keys there then could you send us a santised dump of the keytab so we can decide a good key to use? And more importantly one which is definitely present? klist -k /etc/krb5.keytab It is generally recommended to only dump the keys you need. [[sssd[ldap_child[8011 [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No principal matching template.wetron...@wetron.es found in keytab. [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No principal matching TEMPLATE$@WETRON.ES found in keytab. [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No principal matching host/template.wetron...@wetron.es found in keytab. [[sssd[ldap_child[8011 [select_principal_from_keytab] (0x0200): Selected principal: dept-66f575a885$@WETRON.ES [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Principal name is: [dept-66f575a885$@WETRON.ES] [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals [[sssd[ldap_child[8011 [prepare_response] (0x0400): Building response for result [0] [[sssd[ldap_child[8011 [main] (0x0400): ldap_child completed successfully [sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client finished [sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906] [sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null) [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] Where did you get samba4 from, did you compile it yourself? what version? what OS are you using, if you did compile it yourself, what packages did you install before compiling. Note that I get the last error even if I add ldap_sasl_authid = Administrator Have you dumped the Administrator key to the keytab? If it isn't in the keytab it's not going to find a match either. Why not simply choose something which you _do_ have? ldap_sasl_mech = gssapi ldap_sasl_authid = something.you.do.have.in.the.keytab ldap_krb5_keytab = /etc/krb5.keytab HTH to get us closer. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 18:42 +0200, Luca Olivetti wrote: Al 30/08/13 18:15, En/na steve ha escrit: On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote: On 30/08/13 15:48, Luca Olivetti wrote: Al 30/08/13 11:41, En/na Rowland Penny ha escrit: OK, try this sssd.conf that I have altered for your setup, it is based on the sssd.conf on the machine that I am typing this on and it works, you just need the krb5.keytab that I told you how to create earlier. That was /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator Hi This command dumps the _whole_ of the database to the keytab, so you must choose which key you are going to use for: ldap_sasl_authid Oops, I was just following instructions :-/ I promise that, when everything is working, I'll read all the relevant manpages (I usually do it _before_ blindly typing what's been suggested, but...) ;-) If you really do need al the keys there then could you send us a santised dump of the keytab so we can decide a good key to use? And more importantly one which is definitely present? klist -k /etc/krb5.keytab It is generally recommended to only dump the keys you need. Which it does with the --principal option, yes? (but, as I just learned, each command *adds* to the keytab, so I have to delete the file first). BTW, if I use --principal=nslcd-connect it is listed 3 times: # klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 1 nslcd-conn...@wetron.es 1 nslcd-conn...@wetron.es 1 nslcd-conn...@wetron.es Fine. We can now say that nscld is both in the keytab and in the databas on the DC (otherwise it wouldn't have dumped the key there) You have 3 entries corresponding to different encryption types. Use: klist -ke to see which they are. You don't need to know though. Have you dumped the Administrator key to the keytab? If it isn't in the keytab it's not going to find a match either. Why not simply choose something which you _do_ have? ldap_sasl_mech = gssapi ldap_sasl_authid = something.you.do.have.in.the.keytab ldap_krb5_keytab = /etc/krb5.keytab Again, I was following suggestions, anyway, both with -U and with --principal=nslcd-connect I was using an ldap_sasl_authid that was in the keytab (as per keytab -k), but the error is the same: [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: nslcd-connect [sssd[nss]] [client_recv] (0x0200): Client disconnected! [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] HTH to get us closer. I cannot thank you enough, but I feel I'm not getting any closer :-( Bueno, a ver: We can say for certain that /etc/krb5.keytab contains the key for nslcd-connect make sure you have: ldap_sasl_mech = gssapi ldap_sasl_authid = nslcd-conn...@wetron.es ldap_krb5_keytab = /etc/krb5.keytab (note, I think you had a different keytab in an older post. Lose it.) Next, can you resolve the kerberos SRV record: host -t SRV _kerberos._udp.dc1.wetron.es. What do you have for /etc/krb5.conf What does: sssd --version give? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On Thu, 2013-08-29 at 11:14 +1200, Andrew Bartlett wrote: On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia wrote: Hi, I have one Samba4 server running as Active Directory Domain Controller. It's working like a charm. So I needed to add another server to be a Member Server (File Server). The server is running samba-4.0.9. Configured and compiled ok: ./configure --prefix=/usr/local/samba --sysconfdir=/etc --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads --with-shared-modules=idmap_ad,pam Installed ok. Kerberos OK. I can run kinit and klist root@MYNETSRV08:/etc/samba# kinit Administrator Password for administra...@mynet.net: root@MYSRV08:/etc/samba# root@MYNETSRV08:/etc/samba# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@mynet.net Valid startingExpires Service principal 28/08/2013 19:59 29/08/2013 05:59 krbtgt/mynet@mynet.net renew until 29/08/2013 19:59 root@MYNETSRV08:/etc/samba# My SMB.CONF is below: [global] workgroup = MYNET security = ADS realm = MYNET.NET encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config MYNET:backend = ad idmap config MYNET:schema_mode = rfc2307 idmap config MYNET:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [test] path = /mnt/files read only = no I can add my server to domain: root@PCOSRV08:/etc/samba# net ads join -U administrator Enter administrator's password: Using short domain name -- MYNET Joined 'MYNETSRV08' to dns domain 'mynet.net' root@MYNETSRV08:/etc/samba# libnss_winbind.so is in the right place: root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so* /lib/libnss_winbind.so /lib/libnss_winbind.so.2 The libs are loaded fine: root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_ldap.so.2 - libnss_ldap.so.2 libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so libnss_wins.so - libnss_wins.so.2 libnss_winbind.so - libnss_winbind.so.2 libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so root@MYNETSRV08:/etc/samba# I added winbind to my nsswitch.conf passwd: compat winbind group: compat winbind I can start the daemon without issues: smbd nmbd winbindd wbinfo -u list all my domain users wbinfo -g list all my domain groups Here is the problems: When I run getent passwd, it lists only the local users. For performance reasons, by default we do not list users in the AD domain. See winbind enum users in your smb.conf His smb.conf above shows that the OP has those lines for both users and groups. When I run id Administrator, it returns No such user. You need to use 'id MYNET\\administrator' smb.conf has: winbind use default domain = Yes Do we still need MYNET\\? Do your users have entries for: uidNumber and gidNumber in AD? Cheers Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Thu, 2013-08-29 at 01:30 +0200, Marc Muehlfeld wrote: Am 29.08.2013 00:10, schrieb Luca Olivetti: Yeah, nslcd works well, but for AD funcionality and speed, sssd is the only way to go for nss on Samba4 or any m$ server. Just my €0.02 I'll try it. I only used nslcd because that's what was suggested in the samba wiki. The Winbind and sssd Howto isn't finished yet. Currently I don't have to much time, but I'm working on. :-) We have sssd covered here: http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html sssd 1.11.1 was released today. I'll report back:) HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo
On Thu, 2013-08-29 at 01:41 +0200, Marc Muehlfeld wrote: https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd @All: Please give some feedback. Thanks. Hi The first 4 bullets of 'Method 2' are unnecessary. Why don't we use what we already have? How about this instead? 1. For a client joined to the domain, please skip to (3) below. 2. On the DC: Extract the machine key: samba-tool domain exportkeytab /etc/krb5.keytab --principal=DC1$ 3. Get tickets and create the cache: k5start -f /etc/krb5.keytab -U -o nslcd -K 60 -b -k /tmp/nslcd.tkt - Switch bullets 6 and 7: edit /etc/nsswitch.conf _before_ you start nslcd. It's unfortunate we still have to cater for the old versions too. The extra mappings slow things down considerably for large domains especially as enumeration is enabled. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo
On Thu, 2013-08-29 at 13:08 +0200, Marc Muehlfeld wrote: I think most companies running Samba in production don't use the latest versions of everything, because they run enterprise distributions like RHEL, SLES, Debian, etc. At work we only run self compiled software, when there's a requirement for that, because everything that isn't updated through the paket manager, is extra work Not everyone has the luxury of being able to take hardware for granted. Most of us have to make do with what we have. E.g. running a Samba domain in a school of 600 students with 80 10 year old machines is simply impossible with old versions of software. As far as AD is concerned, it is unfortunate that Red Hat have decided to retain the 0.7 series of nss-pam-ldapd. Everyone else has at least 0.8.10, the one where AD compatibility was addressed. Thanks for inviting comments. I think that by doing so, you are in a strong position to produce a howto that will be accurate, useful and above all, doable. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On Thu, 2013-08-29 at 14:21 -0300, Carlos Alberto Borges Garcia wrote: Hi, Where can I enter this values in AD? Hi If you have a recent version of Samba4, you can add them when you create new users: samba-tool user add --help will give the options. If you already have the users, just edit their entries e.g.: ldbedit --url=/usr/local/samba/private/sam.ldb cn=carlos Add a minimum of: uidNumber: 1234567 gidNumber: 12345 Your winbind will then pull this information from AD when needed. You can get sensible values for uidNumber from idmap e.g.: wbinfo -i carlos HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On Thu, 2013-08-29 at 19:46 +0200, steve wrote: You can get sensible values for uidNumber from idmap e.g.: wbinfo -i carlos ** Don't forget to change: idmap config MYNET:range = 500-4 to include your new values. Something like: 300-310 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On Thu, 2013-08-29 at 14:59 -0300, Carlos Alberto Borges Garcia wrote: Still not working: I created a test user: dn: CN=test,CN=Users,DC=mynet,DC=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test givenName: test instanceType: 4 whenCreated: 20130827212151.0Z displayName: test uSNCreated: 45308 name: teste objectGUID: fee0d4a4-fd48-48ac-abb3-ce6fb180b10d badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3124563532-696977291-52706181-1501131 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test sAMAccountType: 805306368 userPrincipalName: t...@mynet.net objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=net pwdLastSet: 13022112112000 url: uidNumber userAccountControl: 512 msDS-SupportedEncryptionTypes: 0 gidNumber: 12345 uidNumber: 1234567 whenChanged: 20130829175016.0Z uSNChanged: 47069 distinguishedName: CN=test,CN=Users,DC=mynet,DC=net But if I run: id test id MYNET\test id MYNET\\test id t...@mynet.net I get No such ser Change: uidNumber: 3000100 gidNumber: 80513 and in smb.conf: idmap config MYNET:range = 80001-310 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Thu, 2013-08-29 at 20:17 +0200, Luca Olivetti wrote: but then sssd complains that [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Principal name is: [HP$@WETRON.ES] [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Using keytab [/etc/krb5.keytab] [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals [[sssd[ldap_child[2300 [prepare_response] (0x0400): Building response for result [0] [[sssd[ldap_child[2300 [main] (0x0400): ldap_child completed successfully [sssd[be[default]]] [read_pipe_handler] (0x0400): EOF received, client finished [sssd[be[default]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377842615] [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[default]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: HP$ [sssd[be[default]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sssd[be[default]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] Oooof. ¡Doloroso! Marc's howto will be here soon:) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On Thu, 2013-08-29 at 15:29 -0300, Carlos Alberto Borges Garcia wrote: Still not working :( Turn off nscd? Give up? Use nslcd or sssd instead? Can't think of anything else:( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On 29/08/13 20:29, Carlos Alberto Borges Garcia wrote: But if I run: id test id MYNET\test id MYNET\\test id t...@mynet.net mailto:t...@mynet.net I get No such ser That should be: id test not: id MYNET\\test -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change default GID of users
On Tue, 2013-08-27 at 16:07 -0300, Bruno Vane wrote: Hi Steve, Seems that this attribute does not matter, see my user bruno.vane: primaryGroupID: 513 gidNumber: 100 Hi How are you obtaining the infromation from AD? If you set: gidNumber: 100 in the DN of a user, then that is what will be returned when e.g. nss-ldapd is used. It will not return primaryGroupID unless you have mapped that attribute to gidNumber in nslcd.conf. primaryGroupID is not a rfc2307 atribute. HTH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 00:06 +0200, Luca Olivetti wrote: Al 27/08/13 23:02, En/na Rowland Penny ha escrit: If nslcd needs the posix objectclasses, then that is their bug, windows does not use them so Samba 4 doesn't either. I wouldn't be so sure, since many (all?) of the attributes specified by rfc2307 are not needed by windows but are there for compatibility with unix. I don't know what a real windows server does, but it seems it can work with nslcd, see, e.g., here https://help.ubuntu.com/community/ADWin2k8KerberosLDAP This document has been tested on Windows Server 2008 and Ubuntu 10.04. 2008 does not add the posixAccount not posixGroup classes. Samba4 uses the same schema. You can add them if you wish but they will be ignored. nslcd works with both 2008 and Samba4 with exactly the same nslcd.conf but be sure to use version 0.8.10 or above which contains all the AD stuff. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 00:30 +0200, Luca Olivetti wrote: Al 27/08/13 23:56, En/na Gary Greene ha escrit: If you set it up with '--use-rfc2307', nslcd needs configured as though it is talking to an SFU 3.5 DC. The RFC 2307bis attributes never add additional classes to the AD member objects, even in an SFU environment. Thank you, that gave me an hint: I added a filter passwd (objectclass=user) to /etc/nslcd.conf and that gave me the missing users. I suppose I should add also a filter group (objectclass=group) for groups. Note that those filters are also, e.g. here https://help.ubuntu.com/community/ADWin2k8KerberosLDAP but I overlooked them. With recent versions of nslcd, neither of the filters are needed and serve only to slow down lookups. All that is needed is: uid nslcd gid nslcd uri ldap://your.f.q.d.n base dc=foo,dc=bar map passwd uid samAccountName map passwd homeDirectory unixHomeDirectory sasl_mech GSSAPI sasl_realm SOME.REALM krb5_ccname /tmp/nslcd.tkt hth to speed things up a little. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with nslcd and samba
On Wed, 2013-08-28 at 10:34 +0200, Stéphane PURNELLE wrote: Hi, I try to use nslcd with samba 4 for get suers and group for AD. if I do a ldapsearch, I have a message : Server not in kerberos database Hi You get those errors when you are not joined to the domain. Is this the DC or a client? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with nslcd and samba
On Wed, 2013-08-28 at 11:03 +0200, Stéphane PURNELLE wrote: Hi, On the DC File-server and DC are on the same server. Hi Is it really there? nslookup admin01 ldbsearch --url=/usr/local/samba/private/sam.ldb cn=admin01 samba-tool domain exportkeytab /tmp/test.keytab --principal=ADMIN01$ klist -k Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 13:17 +0200, Luca Olivetti wrote: Al 28/08/13 09:58, En/na steve ha escrit: filter passwd (objectclass=user) to /etc/nslcd.conf and that gave me the missing users. I suppose I should add also a filter group (objectclass=group) [...] With recent versions of nslcd, neither of the filters are needed and serve only to slow down lookups. All that is needed is: 0.8.12 is not recent enough and those filters are needed. I'll try 0.8.12 later but I doubt it will have changed: - - - hh16:/home/steve # samba --version Version 4.2.0pre1-GIT-617c647 hh16:/home/steve # nslcd --version nss-pam-ldapd 0.8.10 uid nslcd-user gid nslcd-user uri ldap://hh3.site base dc=hh3,dc=site mappasswd uid samAccountName mappasswd homeDirectoryunixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/nslcd.tkt hh16:/home/steve # k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K 360 -k /tmp/nslcd.tkt hh16:/home/steve # getent passwd ... steve2:*:321:20513:steve2:/home/users/steve2:/bin/bash steve3:*:322:20513:steve3:/home/users/steve3:/bin/bash ... - - - Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd: kerberos vs. simple bind
On Wed, 2013-08-28 at 18:37 +0200, Marc Muehlfeld wrote: Hello, I took this out of the OpenSSH auth in SAMBA4 LDAP thread, because it was drifting away from it's origin question :-) I played this afternoon a bit with nslcd and kerberos for extending my Wiki HowTo. But as more as I read, one question comes bigger and bigger: What are the advantages of kerberos against simple bind with DN and password? Simple bind method: Create a user, add the credentials to the root only readable file nslcd.conf. Done Kerberos: Create user, add a SPN, extract keytab, edit nslcd.conf (ok. This is all done only once.). But then, if I understand it right, I need something that renews the kerberos ticket from time to time. In your blog you use k5start for that. Also Fedora 19 and RHEL6 doesn't have it in their repositories. So something more to compile and to be ensured that it starts and run. :-) So currently I don't see what are the advantages of Kerberos and in which way it should be easier or anything else. :-) Maybe someone can give me (Kerberos beginner) some answers/hints. :-) Hi If you're happy with plain text passwords being passed over the network then use them. There may be some admins that will not be able to do that though, so. . . You may want to kerberise it. It's very easy: you don't need to create anything new. Just use an object you already have. You always have a machine key for example. On the DC, you'll have to extract its keytab but otherwise, away you go: k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K 360 -k /tmp/nslcd.tkt If you need to be up more than 10 hours a day and if you don't like k5start, cron it. The clients already have the keytab so nothing else to do. HTH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd: kerberos vs. simple bind
On Wed, 2013-08-28 at 18:37 +0200, Marc Muehlfeld wrote: In your blog you use k5start for that. Also Fedora 19 and RHEL6 doesn't have it in their repositories. So something more to compile and to be ensured that it starts and run. :-) A quick google shows that both Fedora and Red Hut Pizza have k5start. It's in the package: kstart HTH Cheers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote: Without the filter $ id aimaretti uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain Users),675(intranet),676(portal),507(devel) $ id pruebaunix id: pruebaunix: l’usuari no existeix $ LC_ALL=en id pruebaunix id: pruebaunix: no such user Hi OK then, so just compare the DN of aimaretti with that of pruebauinx. Post them here if you like: ldbsearch --url=/usr/local/samba/private/sam.ldb cn=aimaretti and ldbsearch --url=/usr/local/samba/private/sam.ldb cn=pruebaunix Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd: kerberos vs. simple bind
On Wed, 2013-08-28 at 19:27 +0200, Marc Muehlfeld wrote: Am 28.08.2013 19:11, schrieb steve: If you're happy with plain text passwords being passed over the network then use them. There may be some admins that will not be able to do that though, so. . . Ok. This is an good argument I haven't tought about. In production I have used LDAPS. But the HowTo is currently describing it in plain text, right. You may want to kerberise it. It's very easy: you don't need to create anything new. Just use an object you already have. You always have a machine key for example. Good idea with the machine key. If I use the machine account, then I have to re-export the keytab if I rejoin the machine, right? No. Once you have exported the key to the keytab on the DC, that's it. Forever. The question doesn't make sense on a client. If you're on the DC, you do not have a default keytab, erm, by default, so just extract the machine key manually. On a remote client, the process of joining the domain with security=ADS and kerberos method = something will automatically create the keytab for you. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote: Al 28/08/13 13:43, En/na steve ha escrit: 0.8.12 is not recent enough and those filters are needed. I'll try 0.8.12 later but I doubt it will have changed: I have 0.8.12 $ rpm -q nss-pam-ldapd nss-pam-ldapd-0.8.12-3.mga3 With the filter (aimaretti is a migrated user, pruebaunix is a new user) $ id aimaretti uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain Users),675(intranet),676(portal),507(devel) $ id pruebaunix uid=10069(pruebaunix) gid=513(Domain Users) grups=513(Domain Users),496(vcsa),675(intranet) Without the filter $ id aimaretti uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain Users),675(intranet),676(portal),507(devel) $ id pruebaunix id: pruebaunix: l’usuari no existeix $ LC_ALL=en id pruebaunix id: pruebaunix: no such user Do you think it's because I have specified a binddn and a bindpw? Hi Without objectClass: posixAccount you need the filter for nslcd. IOW, for AD, you either must add it yourself or use the nslcd filter. Windows does not need the objectClass. nslcd does unless you want to filter everything. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 20:18 +0200, Luca Olivetti wrote: Al 28/08/13 20:11, En/na steve ha escrit: Hi Without objectClass: posixAccount you need the filter for nslcd. IOW, for AD, you either must add it yourself or use the nslcd filter. Windows does not need the objectClass. nslcd does unless you want to filter everything. Thank you, I though that was the case. It's something that Marc will have to specify in the howto. Hi Yeah, nslcd works well, but for AD funcionality and speed, sssd is the only way to go for nss on Samba4 or any m$ server. Just my €0.02 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo (was: OpenSSH auth in SAMBA4 LDAP)
On Tue, 2013-08-27 at 01:39 +0200, Marc Muehlfeld wrote: Hello Steve, thanks for your suggestions. Am 27.08.2013 00:40, schrieb steve: 1. Nested groups work fine with nslcd. Please use the latest version: man nslcd.conf(5) I use the version Redhat ships. I haven't used that latest version and I think most will use the one shipped with their distribution, too. But of course I've changed the information in the HowTo. 2. We really should encourage users away from plain text passwords stored in files. nslcd works fine with sasl binds. The devs have worked hard to give us Kerberos out of the box. I think we should use it: http://linuxcostablanca.blogspot.com.es/p/s4bind.html I wanted to first create a very simple and basic HowTo, because during the last time we often had questions about nslcd, etc. on the list. But you are right. Kerberos should be the preferred way. I'll have a look on that the next days and switch the HowTo to Kerberos or add this as an additional way. But give me some time, because I validate everything I publish. 3. nslcd is already AD aware and this is not winbind so let's keep it simple. The following lines are not required/produce errors/ slow down lookups. filter passwd ((objectClass=user)(!(objectClass=computer))(uidNumber=*)) map passwd gecos displayName map passwd gidNumber primaryGroupID filter group ((objectClass=group)(gidNumber=*)) map group uniqueMember member Can you please give me more details here? I don't get any errors on RHEL6 here. Because the removal of this line, I'm not sure, why. I have added them deliberately out of the following reasons: If I remove the filter passwd line, then getent passwd returns nothing no domain accounts any more. If I remove the map passwd gidNumber primaryGroupID, then id username doesn't return the in AD configured primary group in the unix tab. If I remove the filter group line, then getent group doesn't return domain groups any more. If I remove the map group uniqueMember member line, then id username won't tell me, in which groups the user is. Do you have different results on your system? Hi Yes. All this changes as from version 0.8.10 Or why would you remove this lines? Current versions of nslcd do not require them. With red hat throwing some of their best coders at sssd through Fedora, it is understandable that nss-pam-ldapd maintenance will not be high priority;) Again, it is important to use the latest version. I think most users first try the version shipped with their distribution, like me. Because every self compiled program is something you have to update manually (and on every server), while everything else can be done at once via yum/apt/whatever. I think it's not important to use the latest version, except it contains something I can't live without it. But everybody has different opinions on that, I guess. ;-) It seems that the majority of users build samba4 from source. In this case it is a simple step to also build nss-pam-ldapd. As you quite rightly say, you want to keep it simple. This is all that is needed as from 0.8.10 (which most distros now have): uid nslcd gid nslcd uri ldap://your.f.q.d.n base dc=foo,dc=bar map passwd uid samAccountName map passwd homeDirectory unixHomeDirectory sasl_mech GSSAPI sasl_realm YOUR_REALM krb5_ccname /your/cache Your distro must be still using the 0.7 series. One valid point that users make is that the Samba documentation is out of date/irrelevant/written for devs by devs. With nslcd and sssd howtos you have a golden opportunity to produce something both current and which is relevant and doable by anyone If you decide to stay with the old version please make it clear by putting something like, 'This howto has been tested with x.y.z'. If you like, I'll put a 0.8.10 and newer configuration version to link to. As we recommend the latest stable version for Samba so should we recommend the latest version of all accociated kit. HTH Thanks for your patience. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change default GID of users
On Tue, 2013-08-27 at 12:14 -0300, Bruno Vane wrote: Hi all, I'm using samba4 as DC and using ssh/nslcd/pam in some machines to lookup ldap base in samba4 to allow access for users. My question is, how can I set the default GID os users to 100, to match the GID of groupusers in my linux machines? All users I create with ADUC is getting UID 513. This machines are joined in the domain. Hi Add the attribute: gidNumber: 100 to the DN of Domain Users. The easiest way to do that is to: ldbedit --url=/user/local/samba/private/sam.ldb cn=Domain\ Users HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change default GID of users
On Tue, 2013-08-27 at 14:33 -0300, Bruno Vane wrote: Hi Steve, I did what you said, and when create the user, nothing changes: Hi Sorry, you have to add: gidNumber: 100 to the DN of each user too. Make sure that you clear the nscd cache after making any change to AD. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Tue, 2013-08-27 at 20:11 +0200, Marc Muehlfeld wrote: Do posixAccount/posixGroup objectClasses have to be there normally? No. With the AD schema, you can use all of rfc2307 without the need for the objectclassed which define them. Just add the attributes. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
On Mon, 2013-08-26 at 19:09 +0200, Marc Muehlfeld wrote: passwd: files ldap shadow: files ldap group: files ldap @marc Just curious, but why are you trying to pull shadow from the directory? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
On Mon, 2013-08-26 at 20:12 +0200, Luca Olivetti wrote: Al 26/08/13 19:09, En/na Marc Muehlfeld ha escrit: - Now you should be able to see all accounts (the local and domain accounts), when you type # getent passwd I tried it on a test VM, but it only showed accounts migrated from samba 3+ldap (since they have the posix attributes), new users/groups added via samba-tool or windows didn't appear. Hi You add the attributes yourself when you create the user: samba-tool user add luca --uid-number=1234567 --gid-number=45678 --home-directory=/some/place --login-shell=/bin/bash HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
On Mon, 2013-08-26 at 18:02 -0300, Bruno Vane wrote: Hi Steve, I'm adding users through ADUC, in Remote Server Administration Tool. new users/groups added via samba-tool or windows didn't appear. Ah, I see. It's just that your message said samba-tool (as above). Managing rfc2307 from windows in not easy. With samba-tool it's very easy to add the posix attributes which you need for your new users. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo (was: OpenSSH auth in SAMBA4 LDAP)
On Tue, 2013-08-27 at 00:12 +0200, Marc Muehlfeld wrote: Am 25.08.2013 09:27, schrieb Bruno Vane: I have some Ubuntu LTS servers running openssh server authenticating to external openldap. I installed a new Ubuntu LTS server with Samba4 to create a domain and is working very well. I managed to make a pfsense firewall authenticate users in this Samba4 ldap. How to make openssh in Ubuntu authenticate users in Samba4 ldap? As the Winbind, sshd and nslcd-HowTo I am currently working on is getting longer and longer, I decited to split it into the three parts, so it won't get to confusing. Also then I can publish the already finished and validated nslcd part. And here it is: https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd @Bruno: This HowTo should contain all the short information I already gave you here on the list in a more detailed depth. @All: Feel free to give comments. Or let me know if something is missing/wrong. Regards, Marc Hi 1. Nested groups work fine with nslcd. Please use the latest version: man nslcd.conf(5) 2. We really should encourage users away from plain text passwords stored in files. nslcd works fine with sasl binds. The devs have worked hard to give us Kerberos out of the box. I think we should use it: http://linuxcostablanca.blogspot.com.es/p/s4bind.html 3. nslcd is already AD aware and this is not winbind so let's keep it simple. The following lines are not required/produce errors/ slow down lookups. filter passwd ((objectClass=user)(!(objectClass=computer))(uidNumber=*)) map passwd gecos displayName map passwd gidNumber primaryGroupID filter group ((objectClass=group)(gidNumber=*)) map group uniqueMember member Again, it is important to use the latest version. Just my €0.02 Thank you for taking the time to document this. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
On Tue, 2013-08-27 at 00:28 +0200, Luca Olivetti wrote: Al 26/08/13 22:54, En/na steve ha escrit: On Mon, 2013-08-26 at 20:12 +0200, Luca Olivetti wrote: Al 26/08/13 19:09, En/na Marc Muehlfeld ha escrit: - Now you should be able to see all accounts (the local and domain accounts), when you type # getent passwd I tried it on a test VM, but it only showed accounts migrated from samba 3+ldap (since they have the posix attributes), new users/groups added via samba-tool or windows didn't appear. Hi You add the attributes yourself when you create the user: samba-tool user add luca --uid-number=1234567 --gid-number=45678 --home-directory=/some/place --login-shell=/bin/bash samba-tool user add: error: no such option --uid-number (this is from samba 4.0.8) It only works with 4.1 and newer. There is a script to do the same for 4.0.8 which also takes care of the uid increments when adding new users: http://linuxcostablanca.blogspot.com.es/p/s4bind.html HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issue with multiple Samba DC and uid/gid assignment.
On Sat, 2013-08-24 at 23:02 +, dahopk...@comcast.net wrote: Notice that the group id and uid are both different. Why? How did you provision the second DC? Are they replicating OK? When they are, both DC's need: idmap_ldb use:rfc2307 = Yes in the [global] of their smb.conf On either DC, winbind will only pull uid and gid from AD. If you want to see all of rfc2307, you must use sssd or nslcd. Then getent passwd will show not only the correct uidNumber and gidNumber, but also the loginShell and unixHomeDirectory too Advice: don't use Test24.User as a username for debugging. Lose the capitalisation and the dot. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issue with multiple Samba DC and uid/gid assignment.
On Sat, 2013-08-24 at 23:27 +, dahopk...@comcast.net wrote: A quick follow-on ... if I examine the local sam.ldb on the server2 via ldbedit, it appears the information is correct, but wbinfo still reports different numbers: Replication OK then. wbinfo -i Test24.User Domain\Test24.User:*:3000134:100::/home/Domain/Test24.User:/bin/false idmap_ldb use:rfc2307 = Yes nscd not running ?? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issue with multiple Samba DC and uid/gid assignment.
On Sun, 2013-08-25 at 17:03 +0100, Rowland Penny wrote: On 25/08/13 16:52, dahopk...@comcast.net wrote: Hi, Where does Windows 2008R2 fit into this setup, is it in the same domain? is it the primary AD server? It is a member server in the same domain on which we ran ADUC. It was a member of the prior samba3/LDAP authentication system. I can now log back onto this server and launch ADUC. All three of the samba4 DC are listed in Domain Controllers. However, since adding nslcd/nscd to ncssamba2, the only DC I can connect to is ncssamba1. When I try to select a different domain controller, I get The list of Domain Controllers for domain ncs.k12.de.us is unavailable because: Access is Denied I would suggest that you read Steve's site a bit more but this time about sssd. I would also suggest that you just use the Samba 4 DCs just for authentication and use the Samba fileservers to store the profiles etc. You would then not need anything but the basic Samba4 setup on the AD DCs. That is the goal except profiles/home directories were not be accessed correctly on the samba4 domain member servers which I am trying to resolve. I am still not clear if I should be installing nslcd on the AD DCs. And if I do, what is the correct setting setting for the following in nslcd.conf # The location at which the LDAP server(s) should be reachable. uri ldap://ncssamba1.ncs.k12.de.us/ Should this point to the local machine, e.g. ncssamba1 for nslcd running on ncssamba1, ncssamba2 for nslcd running on ncssamba2 or should it point to the same ldap server on all AD DCs? I am willing to migrate from nslcd to sssd but need to understand what needs to be uninstalled/installed where before attempting it. Sincerely, Dave Hopkins If you just use the Samba 4 ADs for authentication, you do not need anything else on them, you just need to add the relevant attributes (uidNumber, gidNumber, homeDirectory,profilePath etc) to each user. You just need to set up samba on the fileservers to pull and use this information. If you use sssd to do this, you will use kerberos, so very little extra needs to be added other than sssd, sssd-tools and krb5. Rowland Hi The OP is running nscd. This must be disabled, otherwise wbinfo and getent will always come from the cache. Any change to AD will not be reflected until the cache is cleared. I'm almost certain that the issue can be cured by disabling nscd Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbd looking for non existent files
Hi 4.0.8 file server in a 4.0.8 domain After a user logs in on a Linux client which is joined to the domain, smbd is constantly looking for files which don't exist: Here is the file server log after a user login to a Linux client has settled down: [2013/08/24 18:43:24.748511, 3] ../source3/smbd/vfs.c:1140(check_reduced_name) check_reduced_name [steve2/.icons/gnome] [/home/users] [2013/08/24 18:43:24.751496, 3] ../source3/smbd/vfs.c:1270(check_reduced_name) check_reduced_name: steve2/.icons/gnome reduced to /home/users/steve2/.icons/gnome [2013/08/24 18:43:24.753922, 3] ../source3/smbd/trans2.c:5399(call_trans2qfilepathinfo) call_trans2qfilepathinfo: SMB_VFS_LSTAT of steve2/.icons/gnome failed (No such file or directory) [2013/08/24 18:43:24.755239, 3] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/trans2.c(5401) cmd=50 (SMBtrans2) NT_STATUS_OBJECT_NAME_NOT_FOUND [2013/08/24 18:43:24.760257, 3] ../source3/smbd/process.c:1794(process_smb) Transaction 1113 of length 122 (0 toread) [2013/08/24 18:43:24.761808, 3] ../source3/smbd/process.c:1397(switch_message) switch message SMBtrans2 (pid 1122) conn 0xb8f54520 [2013/08/24 18:43:24.770442, 3] ../source3/smbd/trans2.c:5291(call_trans2qfilepathinfo) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 512 [2013/08/24 18:43:24.774313, 3] ../source3/smbd/vfs.c:1140(check_reduced_name) check_reduced_name [steve2/.icons/hicolor] [/home/users] [2013/08/24 18:43:24.777104, 3] ../source3/smbd/vfs.c:1270(check_reduced_name) check_reduced_name: steve2/.icons/hicolor reduced to /home/users/steve2/.icons/hicolor [2013/08/24 18:43:24.780783, 3] ../source3/smbd/trans2.c:5399(call_trans2qfilepathinfo) call_trans2qfilepathinfo: SMB_VFS_LSTAT of steve2/.icons/hicolor failed (No such file or directory) [2013/08/24 18:43:24.785670, 3] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/trans2.c(5401) cmd=50 (SMBtrans2) NT_STATUS_OBJECT_NAME_NOT_FOUND [2013/08/24 18:43:24.791477, 3] ../source3/smbd/process.c:1794(process_smb) Transaction 1114 of length 128 (0 toread) [2013/08/24 18:43:24.796225, 3] ../source3/smbd/process.c:1397(switch_message) switch message SMBtrans2 (pid 1122) conn 0xb8f54520 [2013/08/24 18:43:24.798960, 3] ../source3/smbd/trans2.c:5291(call_trans2qfilepathinfo) file server: [global] workgroup = HH3 realm = HH3.SITE security = ADS kerberos method = secrets and keytab username map = /home/steve/smbmap log level = 3 [users] path = /home/users read only = No smbmap: !Administrator = HH3\Administrator Client: [global] workgroup = HH3 realm = HH3.SITE security = ADS kerberos method = system keytab Tested with sssd and nslcd. (yes, it's the same with winbind) Why is smbd looking for files which don't exist? Is there a cache I should clear? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba